To monitor physical network traffic, IT pros look into a given network interface. When you move to virtual networks, monitoring traffic can become more difficult -- but this doesn't have to cost you more.
You can monitor and then analyze virtual network traffic from within a virtual machine (VM). However, by default, the vSwitch port group security policy denies traffic capture that is not addressed to that specific VM.
To capture traffic that is sent within the same ESXi host, configure the virtual switch (vSwitch) and the port group to allow VMs to use promiscuous mode. With promiscuous mode enabled, third-party monitoring software will capture network traffic from within the VM. Free options such as WireShark (Figure 1) fit the bill without taking a bite out of IT's budget.
Switching on promiscuous mode for a vSwitch port group is easy. Select the Configuration tab on the VMware vSphere host in either vCenter Server or vSphere Client and select Networking in the Hardware section. Choose the vSwitch properties and assign the port group for which you're activating promiscuous mode (in the Security tab).
Administrators will need to work a bit harder to monitor network traffic that is sent on the physical network outside of the vSphere host.
The physical switch must support mirroring network traffic, which will be implemented in a different way for each switch brand. In switches, network packets are only sent to the switch port on which the destination Media Access Control (MAC) address is listening. Traffic mirroring puts the switch port into promiscuous mode so that the target switch port can receive all network traffic, not just the network traffic addressed to the associated MAC address.
To finish the configuration, connect the switch port that receives all network traffic to the physical network card. Once these are connected in the VM's ESXi host, you can use that VM to monitor network traffic. The VM will be capable of receiving all traffic sent on the physical network.
With promiscuous mode turned on, you can start analyzing network traffic. Select an interface to start a live packet capture. Packets will pass by at high speed, so if you're looking for specific information, configure a filter that specifies which network traffic should be captured for further analysis.
Your VMware virtual environment is now configured to capture packets on a switched network for further analysis. If you just want to analyze packets sent to VMs on the same host, the procedure is easy and you'll only have to enable promiscuous mode on the vSwitch. But if you also want to analyze packets sent on the physical network, your switch must mirror traffic to a specific switch port before you can capture it from within the VM. Since VMware doesn't provide any specific tools for packet capturing, use third-party tools for virtual network traffic analysis.
This was first published in November 2012